Description
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.
Published: 2026-01-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unprivileged Access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WordPress User Registration plugin that allows attackers to exploit incorrectly configured access control security levels. This broken access control can enable unauthorized users to perform actions that should be restricted, potentially leading to the creation, modification, or deletion of user accounts and sensitive data. The weakness is identified as CWE‑862, highlighting a failure to enforce proper permissions.

Affected Systems

The issue affects the WordPress User Registration plugin sold by wpeverest, specifically all versions up to and including 4.4.6. Sites running any of these versions are at risk, while newer releases are presumed to have a fix.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s public-facing registration interface, where an attacker may submit crafted requests to perform unauthorized actions. Mitigation requires removing or patching the vulnerable code.

Generated by OpenCVE AI on April 28, 2026 at 09:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress User Registration plugin to any version newer than 4.4.6, if a patch is available from wpeverest.
  • If an update is not immediately available, disable the plugin’s public registration endpoints or restrict access to the registration pages to trusted IP addresses.
  • Verify that all access control configurations for user roles and capabilities are correctly defined and enforce the principle of least privilege.

Generated by OpenCVE AI on April 28, 2026 at 09:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest user Registration

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.
Title WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpeverest User Registration
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.997Z

Reserved: 2025-12-15T10:00:16.553Z

Link: CVE-2025-67956

cve-icon Vulnrichment

Updated: 2026-01-29T17:17:09.071Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:05.150

Modified: 2026-04-29T10:16:52.257

Link: CVE-2025-67956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses